On 05/26/2016 12:23 PM, Alexander Bokovoy wrote:
On Thu, 26 May 2016, thierry bordaz wrote:
The limitation would be to run the provisioning on IPA master. During provisioning, membership attribute will be invalid (memberof not computed). Is it acceptable that IPA master contains invalid membership for some time ?
Consider provisioning to be at the same level as running
ipa-server-upgrade -- access via 389/636 ports is not allowed, LDAPI is
the only interface enabled which implies there would be no problem if we
set expectations right: provisioning mode is offline.

Yes I agree, provisioning mode is offline.
My concern is about side effects on the rest of the topology if we are putting IPA master offline (is password update possible on replica ?).
Sure, update on replica would be queued in replication queue. Password
changes are local anyway, they result in updates of few password
attributes and that's all. These attributes replicated in the same way
as anything else.
Yes that is right.
I remember a discussion about the master key that was only available on IPA master and I thought that IPA master had a specific role around krb attributes. But if provisioning can be done on IPA master, it is then a good idea to use root/ldapi to avoid getting DM password.

thanks for all your feedback and help


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to